Skip to main content

🛡️ Azure Virtual Machine is not utilizing Managed Disks🟢

  • Contextual name: 🛡️ Virtual Machine is not utilizing Managed Disks🟢
  • ID: /ce/ca/azure/virtual-machine/virtual-machine-managed-disks
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY, PERFORMANCE, COST

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-588af79c1

Description

Open File

Description

Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:

  1. Default Disk Encryption.
  2. Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty.
  3. Reduction of costs over storage accounts.

Rationale

Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.

For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.

Impact

There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on.

Audit

From Azure Portal
  1. Using the search feature, go to Virtual Machines.
  2. Click the Manage view dropdown, then select Edit columns.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Using the search feature, go to Virtual Machines.
  2. Select the virtual machine you would like to convert.
  3. Select Disks in the menu for the VM.
  4. At the top select Migrate to managed disks.
  5. You may follow the prompts to convert the disk and finish by selecting Migrate to start the process.

NOTE: VMs will be stopped and restarted after migration is complete.

From PowerShell

Stop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v1.3.0 → 💼 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual)11no data
💼 CIS Azure v1.4.0 → 💼 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual)11no data
💼 CIS Azure v1.5.0 → 💼 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual)11no data
💼 CIS Azure v2.0.0 → 💼 7.2 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Automated)11no data
💼 CIS Azure v2.1.0 → 💼 7.2 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Automated)11no data
💼 CIS Azure v3.0.0 → 💼 8.2 Ensure Virtual Machines are utilizing Managed Disks (Automated)1no data
💼 Cloudaware Framework → 💼 Performance Tuning4no data
💼 Cloudaware Framework → 💼 Resource Optimization24no data
💼 Cloudaware Framework → 💼 System Configuration45no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)2526no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)514no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)14no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)14no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.1 Information security requirements analysis and specification66no data
💼 ISO/IEC 27001:2022 → 💼 5.33 Protection of records1015no data
💼 NIST CSF v1.1 → 💼 PR.IP-2: A System Development Life Cycle to manage systems is implemented69no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains3032no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014no data
💼 SOC 2 → 💼 CC7.1-1 Uses Defined Configuration Standards45no data